McAfee® Host Intrusion Prevention 6.1 Product Guide | Maintenance |
| Setting up notifications for events |
8
Host Intrusion Prevention notifications
Host Intrusion Prevention supports the following
Host Intrusion detected and handled
Network Intrusion detected and handled
Application blocked
Computer placed in quarantine mode
Notifications can be configured only for all or none of the Host (or Network) IPS signatures. Entercept 5.x supported notifications based on sets of signature IDs or individual severity levels. Host Intrusion Prevention supports the specification of a single IPS signature ID as the Threat Name or Rule Name field in the notification rule configuration. By internally mapping the signature ID attribute of an event to the threat name, a rule is created to uniquely identify an IPS signature.
The specific mappings of Host Intrusion Prevention parameters allowed in the subject/body of a message include:
Parameters | Host and Network | Blocked | Quarantine |
| IPS Events Values | Application Event | Event Values |
|
| Values |
|
|
|
|
|
ReceivedThreatNames | SignatureID | none | none |
|
|
|
|
SourceComputers | Remote IP address | computer name | computer name |
|
|
|
|
AffectedObjects | Process Name | Application name | IP address of |
|
|
| computer |
|
|
|
|
EventTimestamp | Incident time | Incident time | Incident time |
|
|
|
|
EventID | ePO mapping of | ePO mapping of event | ePO mapping of |
| event ID | ID | event ID |
|
|
|
|
AdditionalInformation | Localized Signature | Application full path | none |
| Name (from client |
|
|
| computer) |
|
|
|
|
|
|